neconyd | e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 04:45

Target

e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe
Size

88KB
MD5

407217d4f6cbdf4ac2db283ba2300a31
SHA1

75ac604bdd3a9bd2aa859f97936b8e4355e7589f
SHA256

e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8
SHA512

ee19b8fa70dadfa922100d820869aed7f01f393739f7cd688d12ac65590d6494cf64b7c125798862ba8f694e9ad73f912eb4771153138b2e67ece5df647c1996
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2644	3240	e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe	81
PID 3240 wrote to memory of 2644	3240	e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe	81
PID 3240 wrote to memory of 2644	3240	e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe	81
PID 2644 wrote to memory of 884	2644	omsecor.exe	93
PID 2644 wrote to memory of 884	2644	omsecor.exe	93
PID 2644 wrote to memory of 884	2644	omsecor.exe	93
PID 884 wrote to memory of 1184	884	omsecor.exe	94
PID 884 wrote to memory of 1184	884	omsecor.exe	94
PID 884 wrote to memory of 1184	884	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe
"C:\Users\Admin\AppData\Local\Temp\e5e5e6167962458c35f2a3a1b35a9b12ab285143b5761930a458ea06d96fc6d8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1184

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2458d078a80f3e9fb56d9bc402278fce

SHA1
1ac808aaa699c672f22e9167c3ca574cae9785ca

SHA256
1d7f0b0d3063ddae2eefcd5b2f4048bd3a31ee1897deccce68320aab44288130

SHA512
6011e2fd0a62be44ffc32b4a74bd3ad9348f888ff424c53ada064c670c5ee132f92bf1bb74e0eca13275395a1b2fece2d02bc6c8fb49fe8d6ffc3598dbe9e4a4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
eb4e2478ac911ed5235815d95afe5219

SHA1
3bfd3924fd9962e9f07989c7a8f4b4f3f17fe75b

SHA256
72bb6aab576fc0f768f568d1954a13f7327b1b89360616311e89f05a3a4b2dca

SHA512
2b10c1e4516b26a26613d773b645e6548214ac545c1236c3658601c99d720e49468db95958ad54398eb145c1624013f6ce1062999a619ebe60f32a536fbf10a3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
149aa5e2d402ddf84dbe23f9858dfc0c

SHA1
2d6ba5e48b470c534e47a95e7ed82f1747abc9b2

SHA256
854e0e3583aa072bf2ff1a363eff08efa013cd4b6af4f4afd808f12e77103e95

SHA512
003e299a63ae79d14fefd9b3164ea48043163a71c2778b1d030b0c9de242e4ea2861dde985c99189795b160c2f1d8a6b3aa71dfb42133cb61cdc2470ce02ee7d

Download Submit